In today's emerging information society, more and more personal and proprietary information is stored in electronic databases. To prevent unauthorized access to these private databases, many electronic systems, computers, and networks require users to enter secret data to initialize a security relationship. While efforts have been made to utilize biological characteristics as secret data, through methods such as voice identification or retinal scanning, widespread use of these methods is years, if not decades, away. The predominant method for providing secret data remains the use of a data entry device, typically a keyboard or keypad, to enter secret data, such as a password or PIN (Personal Identification Number). Entry of the proper secret data initializes a security relationship.
The types of security relationships that are established by means of shared secrets include, but are not limited to, authentication, encryption, and digital signing. In authentication, the possession of the secret verifies the identity of the possessor. In encryption, the secret is used to cryptographically transform a message so it is concealed from third parties but may be transformed back into readable form by one possessing a related secret. In digital signing, a hash is computed over a block of data. The hash is then encrypted with the private cryptographic key of the signer. The signature can be tested by decrypting the signature with the public cryptographic key of the signer and comparing the result to a just-computed hash of the data block. If these values match, it shows that the signer had the private key corresponding to the public key and also that the data block has not changed.
Authentication credentials are often divided into two parts so that security is not compromised even if one part is lost or stolen. For example, a person wishing to transact business at an Automatic Teller Machine generally identifies himself or herself by presenting an “ATM card” and concurrently entering a string of numbers called a “PIN” (Personal Identification Number) onto a keypad. The “ATM card” bears identifying information, such as an account number, encoded on a magnetic stripe. A person possessing only half of the secret, only the ATM card or only the secret PIN, is not authorized to perform transactions. Similarly, home security systems rely on the authorized entrant to possess both a key to the house and a security system PIN. An authorized entrant generally disables a home security system alarm by using a keypad to enter a secret string of numbers. If a person entering the house fails to enter the correct PIN within a short period of time, the alarm system may automatically summon law enforcement personnel to apprehend the unauthorized person.
While many systems divide authentication credentials into a tangible object and a password or PIN, many systems rely solely on a password or PIN for authentication. For example, new short-range wireless data communications systems, such as the Bluetooth standard, use a PIN to generate a link key. The link key serves for authentication and encryption allowing secure communication between a pair of devices. Similarly, passwords are commonly used to secure access to computers and networks. For systems that rely entirely on a password or PIN for authentication, the security of the entire system may be adversely affected if the password or PIN is lost, stolen, or otherwise compromised.
A password or PIN may be stolen in several ways including detecting the keypad or keyboard using a physical sensor while the user enters his or her password or PIN or tapping into the electrical circuit or network downstream from the keypad or keyboard to capture the password or PIN after the user has entered it into the keypad or keyboard. Previous efforts have been focused on protecting PINs and passwords from this latter form of compromise; however, little work has focused on detection of secret data entry by physical sensors.
One way to steal a password or PIN using a physical sensor is to observe the keypad or keyboard as the user enters his or her PIN or password. This observation may be performed either visually or by means of an optical device such as a camera. Structures designed to prevent this type of monitoring are described in U.S. Pat. No. 5,748,728 to Ginsberg et al. entitled “Shield for Concealing Operation of a Keypad”. These structures may have provided some protection of passwords and PINS when the eavesdropping threat was limited to optical sensors. However, such simple security measures are increasingly ineffective as new highly-sophisticated physical sensors become readily available. This new breed of physical sensors includes devices that detect infrared signatures as well as refined audio sensors.
Devices that create images by detecting the infrared portion of the electromagnetic spectrum are well-known. These devices typically have been used in the public sector as military and police personnel may often use them to image human beings and structures in low-light conditions. Rescue workers use these devices in search-and-rescue operations to locate persons trapped in damaged buildings. Firemen use them to locate hot spots in burning buildings. Additionally, infrared-imaging devices are used routinely for medical diagnostic purposes to image the human body and differentiate between body areas of normal temperature and those with abnormal temperature, which might indicate a disease process, injury, or the like. Some infrared detectors are so sensitive that they can image, for example, footprints in the ground, by discerning the slight difference between the average background temperature and a temperature that is slightly elevated as a result of human contact.
An eavesdropper could use a sensitive infrared-imaging device to inspect a keyboard or keypad shortly after a person has entered a secret such as a PIN thereon. The eavesdropper would prefer to perform the imaging after the person entering the PIN has left the area in order to remain undetected by the person entering the PIN. The infrared-imaging device would be used to create an image of the heat signature on the keypad. The heat signature on the keys most recently touched would be slightly more intense than those touched earlier in the PIN sequence. By comparing the temperature values for the keys and arranging them in sequence from the coolest to the warmest, the eavesdropper could form a strong hypothesis about the sequence in which the keys were touched.
For example, FIG. 1 shows a conventional data entry device as detected using an infrared-imaging device. In this figure, the data entry device 10 is a keypad with keys 11 on it. This image of the keypad is taken immediately after a user has entered his or her PIN. In the image, the background temperature is represented by white. Temperatures above the background temperature are represented by varying shades of gray with black being the hottest temperature. As shown in FIG. 1, the 6 key is the darkest shade of gray. The 5 key is a slightly lighter shade of gray. The 2 key is lighter still. Finally, the 1 key is the lightest shade of gray. Thus, the 1 key is the coolest and the 6 key is the warmest. Now arranging the keys in order from coolest to warmest, the eavesdropper learns that the user's PIN is 1-2-5-6. Depending on the accuracy of the temperature data, infrared imaging may immediately and unequivocally reveal the PIN. Even if the shades of gray are very close together, this imaging greatly reduces the number of combinations that must be tried to learn the secret PIN. For example, if the shades of gray in FIG. 1 had been indiscernible, the use of imaging would still have reduced the number of combinations that the eavesdropper must try from 10,000 to 24.
One way of thwarting infrared detection is to require that PIN numbers include one or more repeated digits. Keys that are touched more than once are likely to be warmer than would otherwise be the case. For example, if a PIN number were 1223, the heat signature would likely show that the 2 key is the warmest since it was touched twice, followed by the 3 key, with the 1 key being the coolest. Thus, an eavesdropper would incorrectly surmise that the PIN was 231. However, if the eavesdropper realized that the PIN contained four digits, knowing in advance that all PIN numbers have one or more repeated digits would merely reduce the number of combinations that must be tried. As a result, this method of thwarting infrared detection would actually reduce the PIN's effectiveness as a secret. Therefore, a strong need exists for a way of thwarting infrared detection of secret data entered into data entry devices without reducing the data's effectiveness as a secret.
Aside from infrared-imaging devices, eavesdroppers could use refined audio sensors to discover secret data, such as a PIN or password, without resorting to direct observation. To discover a PIN, an eavesdropper might place a hidden microphone attached to a recording device in position to detect sound generated by entering data into a data entry device. The eavesdropper could then subject the recorded sound to a sensitive analysis, such as a Fourier transform, of the audio spectrum associated with pressing each key on a keyboard or keypad. This analysis may yield a distinctive, repeatable audio signature for each key. Such analysis is now increasingly possible with the computing-power of ordinary, inexpensive personal computers. Each key may have a different audio signature based on its physical characteristics and it physical location. The physical characteristics of each key will be different for a number of reasons. Different physical characteristics occur as part of the manufacturing process. Each key is manufactured within relatively imprecise tolerances such that there is an extremely small likelihood that two keys on the same keypad are exactly alike. Additionally, over time the striking surfaces of the keys on a keypad experience varying degrees of wear. This non-uniform wear contributes to distinct audio signatures for each key on the keypad. The physical location of each key on the keypad also contributes to distinct audio signatures for each key. Since each key is physically located in a different place on the keypad, any echoes from nearby objects, such as a shield around the keypad of an ATM machine, may be different for each key pressed. This difference occurs as a result of sound waves bouncing off nearby reflectors at different angles and travelling different distances prior to reaching the microphone. This audio spectrum information, either alone or in combination with the aforementioned infrared imaging means, may yield a very high probability of uncovering a secret PIN without direct visual or optical observation of entry.